MegaCracker v0.2a multi threaded and fixed a few bugs. Don't use the long parameter name with an equal sign. There's an off by one bug --input=asdf looks for a file named "=asdf". Also --hash=... will process the hash wrong and won't crack it. On a i7-2600 I get 4820 c/s (single hash and 100 hashes) without precomputed data and 4.59 Mc/s (single hash) and 317 Kc/s (100 hashes) with precomputed data.
MegaHash List I precomputed some passwords so you can crack these faster.
|Confirmation Link Hash:||N/A|
|Confirmation Link Hash (for MegaCracker):||N/A|
|Encrypted master key:||N/A|
There is your password, password key, master key, confirmation link hash, and login hash. To derive your password key you do (65536 * (passwordLength + 15) / 16) rounds of AES128 encryption. The master key is generated randomly and is AES128 encrypted with your password key and stored at Mega. The hash found in the confirmation link is 64 bits of random data and 64 bits of zeros AES128 encrypted with your password key. The login hash is your email address compressed with xor, encrypted 16,384 times with your password key, and truncated to 64 bits.
"str_to_a32()" is not Unicode safe. This is used to convert your password into an array of 32 bit numbers. This limits the key space since Unicode character values larger than 255 leak over. So passwords "bĀ" and "cĀ" are equivalent (Ā is U+0100). Not as bad as $2x$ but still not good.
The confirmation link hashes are salted, but they are salted after key stretching which means it's really fast when you look at many users.
Attacking the confirmation links:
Note that "properly salted" and "Mega" columns are number of rounds of AES128. Note you can sort of compare PBKDF2 to Mega's KDF by looking at the "difference" column. If you were to tuned PBKDF2 to take the same amount of time as Mega's KDF. Although there are speed differences depending on the platform of the cracking rig.
Good news is that the login hashes are salted in the middle of key stretching.
Attacking the login hashes (assuming they don't do any server side hashing):
Bad news is the login hashes are much harder than checking a file.
Attacking the files:
Hey it could be worse they could be like LastPass¹:
¹ LastPass can throw an error that tells the client to send a salted double SHA256 of your password.
"SHA256(SHA256_lower_case_hex(email + password) + password)" to be exact.
² "x" is the hardness of the key stretching.
³ Mega uses AES and LastPass uses SHA256. On CPUs, 1x AES is 8.7x faster than 3x SHA256 (benchmarked with Q9300). With less than 8,500 users LastPass is weaker otherwise Mega is weaker. On GPUs 1x AES is roughly 1.5x faster than 3x SHA256. With less than roughly 100,000 users LastPass is weaker otherwise Mega is weaker.